Overview

overview

7

Static

static

1

Passwrod_2...up.rar

windows10-2004-x64

7

Analysis

  • max time kernel
    158s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2023 17:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Passwrod_2024_With_Setup.rar

  • Size

    11.6MB

  • MD5

    9a6f96485e55ad7ee783700274b1ba5d

  • SHA1

    2137a6e18fce206b8e93e61b041804b95272d312

  • SHA256

    e0bbe82872c8343174e37f8340326586a321974b0bcf6d9a1087d5a8b7371552

  • SHA512

    15fcc0a70f8b1227fcadc3673814ff3e72ef780154ae0083efe476cd8eb49736c79cd2eb219c06802eac6cf94a7d85fcaacc672a1cb160ea78f274cc869eb699

  • SSDEEP

    196608:1tFomhPXHFWx5jvpOoaxRDHA8xr70D2jBUxZ60TayF+GLSUlGybeLL0qGAmfxkcH:toc/lWD4HxRHBrfjBwTF+W0ybw2AmJgm

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 43 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Passwrod_2024_With_Setup.rar
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Passwrod_2024_With_Setup.rar"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1748
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1596
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1504
    • C:\Users\Admin\Desktop\New folder\Setup.exe
      "C:\Users\Admin\Desktop\New folder\Setup.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3736
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe
        2⤵
          PID:2448

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\New folder\Setup.exe
        Filesize

        2.4MB

        MD5

        9fb4770ced09aae3b437c1c6eb6d7334

        SHA1

        fe54b31b0db8665aa5b22bed147e8295afc88a03

        SHA256

        a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

        SHA512

        140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

        Download Submit

      • C:\Users\Admin\Desktop\New folder\UIxMarketPlugin.dll
        Filesize

        1.4MB

        MD5

        eda80130c34e54a95623178ab7bbd216

        SHA1

        2198ddeb43dc5e925296472649db846710e69cf1

        SHA256

        6655e3831fff198417391865e2e1fea2be11a5b869ea86cbeda6ede07ffa5915

        SHA512

        594f5a52caaf40b9be62da0632c8b63656d97db8fc1cf588cfb43247c971d7ab048123d7fbedc72f705cdc27e7915f3e225f3803dc460b9e16d1132f1fe384f2

        Download Submit

      • C:\Users\Admin\Desktop\New folder\UIxMarketPlugin.dll
        Filesize

        1.5MB

        MD5

        c7344707c39b63d9a0b8ad0ff4f99c16

        SHA1

        5899d8399d5c4583ac359a0485e2ca87afeeb18a

        SHA256

        b5b3f5cd3d9b47fcf1887ae498a4c56e044be3fd6bc2244a307c658ef4461419

        SHA512

        0e8b07884788c8a4d0be4d15b5e8f942a6abd8a22fd394bfee86c64cad1647364c6850170f12808673352314001ecbda0315e361a8c9c0b31eb29da0cd7e3043

        Download Submit

      • C:\Users\Admin\Desktop\New folder\assessor.yaml
        Filesize

        1.0MB

        MD5

        79697dba059dba4916a5e61a5f85c4f6

        SHA1

        5f8c82b6f90a289fb99f20e6fe368e02a1ec6c94

        SHA256

        4213675cf630206a2d8cd4d16c0238c8368a061835bcdf318802bc3802b30f1c

        SHA512

        0eadc429aa9e77193d5ee9fdef3d0cbcb2850b7b2788dc87c137b15f0eb387e4709546c541c0a037600428463233ca7c8200696b2c8c87215d3a4835c6a2dbbc

        Download Submit

      • C:\Users\Admin\Desktop\New folder\hospice.pdf
        Filesize

        80KB

        MD5

        34bdf15f6ce45a1e97dbb2309ce6fbbd

        SHA1

        937bc8572e7f58a8b5045d665d8b33334410ad21

        SHA256

        73fc1264ea639309b89cb6534be3e563a7560525434ab35422d0aa2f96c21a00

        SHA512

        db17c3cf21836f1ba221b8da182885b78ef057240554acad0a3fb78ef0ef3c5ff3c313f541fe9f28bbe76ec8bb57210da4cb1a41c10351097eed2ac7f0e952b9

        Download Submit

      • C:\Users\Admin\Desktop\New folder\relay.dll
        Filesize

        1.5MB

        MD5

        7d2f87123e63950159fb2c724e55bdab

        SHA1

        360f304a6311080e1fead8591cb4659a8d135f2d

        SHA256

        b3483bb771948ed8d3f76faaa3606c8ef72e3d2d355eaa652877e21e0651aa9a

        SHA512

        6cb8d27ebcfdf9e472c0a6fff86e6f4ec604b8f0f21c197ba6d5b76b703296c10c8d7c4fb6b082c7e77f5c35d364bcffd76ae54137e2c8944c1ea7bb9e2e5f08

        Download Submit

      • memory/1504-21-0x0000029A97B70000-0x0000029A97B71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1504-24-0x0000029A97B70000-0x0000029A97B71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1504-26-0x0000029A97B70000-0x0000029A97B71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1504-25-0x0000029A97B70000-0x0000029A97B71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1504-23-0x0000029A97B70000-0x0000029A97B71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1504-22-0x0000029A97B70000-0x0000029A97B71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1504-14-0x0000029A97B70000-0x0000029A97B71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1504-20-0x0000029A97B70000-0x0000029A97B71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1504-16-0x0000029A97B70000-0x0000029A97B71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1504-15-0x0000029A97B70000-0x0000029A97B71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3736-35-0x0000000073430000-0x00000000735AB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3736-36-0x00007FFE544D0000-0x00007FFE546C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3736-41-0x0000000073430000-0x00000000735AB000-memory.dmp

        Filesize

        1.5MB

        Download